Hello and Welcome to the Blog of Kevin Fason! This is my Day to Day Technical Journal. Currently I am the End User Computing Architect for a large Engineering firm in Denver. Had various roles over the years from Communications (PBX & Voicemail) , Administration, even IT Global Manager. Deployment is a big part of my mindset (OSD, MDT, going back to dd) so I have come across lots of scenarios and issues working for a firm that's on all the continents and zillions of countries.

Tuesday, November 15, 2016

inject Windows 10 Cumulative via DISM in ConfigMgr

Previously I talked of an issue around Windows 10 1607 and WSUS patching for B&C Task Sequences. We use MDT to create images that are in turn deployed via SCCM. This issue reminded me of some past items in Windows 7 around updates that need to be pre-injected before sysprep runs, aka first bootup. Some off the top of my head:

NVMe (2990941)

TPM 2.0 (KB2920188)

Servicing Stack (KB3020369)

This got me to rethink on what is our best approach for patching Windows 10 systems during deployments. Does it make sense that we do first bootup as patched as we can during B&C or deployment? You have to decide if it does for your environment. For mine it looks to be the case to do during deployment, least until MS brings Unified Update Platform (UUP) to life and it works its way into SCCM.

With Windows 10, a big big way to handle early boot issues is to apply the latest Cumulative. This can mean the B&C WIM only gets changed for other items besides patches so I think I can get to one or two B&C WIM cycles in between major releases such as the upcoming Creators Update. Traditionally with Windows 7 we push a new one once a quarter and the Apply Patches steps get them current otherwise. By injecting the latest cumulative, the Apply Drivers step has less to process when it generates the JET database used by Windows Update and determines what patches apply. This also has the benefit of working with any out of band cumulatives released. You run whatever cumulative you want or for me the minimum needed for WSUS to work in the B&C process.

Downside would be size, as of today the 64-Bit latest cumulative (KB3200790) is 892MB so that is extra storage on a DP that will grow as new cumulatives are released. I have not validated but the update should match what is pulled via SUP so storage and replication may be minor. Since I use Nomad this does not apply to me as it does not have any centralized store like a SCCM DP does.

So going off my previous issue, we inject the minimum patches needed into the B&C WIM and run the latest Cumulative during deployment from ConfigMgr. Here is how to set it up for 1607:

This assumes you only did the 64-Bit in the package. If you put both 32-Bit and 64-Bit MSU files in one package you will have to modify the Command line step as needed. This step above will apply any files it finds in that path.

The DISM injection goes WAY quicker then the Apply Patches step and the deployment itself goes faster as well this method.